US20130183936A1 - Method and apparatus for remote portable wireless device authentication - Google Patents

Abstract

A method and apparatus provides for user authentication. In an example, the method and apparatus includes receiving a selected signal strength for smart card emulation authentication. The method and apparatus also includes receiving a signal from a portable wireless device radio transceiver. The method also includes measuring the signal strength of the signal. The method and apparatus also includes, if the signal is at or above the selected signal strength, transmitting one or more signals to the portable radio device radio transceiver requesting user authentication, and if the signal is not at or above a selected signal strength, refusing a request to authenticate by the portable radio device radio transceiver. The method and apparatus also includes receiving one or more authentication response signals from the portable radio device in response to the request for user authentication, the one or more response signals including at least authentication information unique to a user.

Description

RELATED CO-PENDING APPLICATION
• This application claims priority to Provisional Application Ser. No. 61/587,474, filed on Jan. 17, 2012, having inventors Clayton Douglas Smith et al., titled “METHOD AND APPARATUS FOR REMOTE PORTABLE WIRELESS DEVICE AUTHENTICATION”, and is incorporated herein by reference.
BACKGROUND OF THE DISCLOSURE
• The disclosure relates generally to a method and apparatus for using a smart phone to authenticate the user to a smart card reader emulation device.
• As computers and other electronic devices store an increasingly large and sensitive amount of information, the computers and other electronic devices must be secured against unauthorized users. An effective way of securing computers and other electronic devices is to encrypt or otherwise disallow access to a computer until a user provides hardware and/or software that includes unique identifying information about the user. In one embodiment, smart cards may be used to store and transmit unique information about a user to a computer, so that the user may request and gain access to the computer. The smart card includes software and/or hardware, and also stores information that uniquely identifies a user. The uniquely identifying information may include, for example, representative biometric information about the user, a unique encryption certificate generated for the user, or other uniquely identifying information. The user may request access to a computer, and be granted access if the user is authenticated. Smart cards, generally, are physical devices that include memory, and may include other processing components, such as a processor and/or battery. The smart cards generally must be carried by the user, and inserted directly into a computer or device associated with the computer. If a user wishes to gain access to many computers, the user may need more than one smart card. The weight and bulk of one or more smart cards may deter users and/or administrators from implementing smart card security. It is common for users to carry smart phones, and smart phones include memory and/or processing capability that may enable them to operate as a smart card. Replacing one or more smart cards with a single smart phone may reduce overall bulk, and may make it more likely for users to implement smart card security.
• Known smart card emulation systems can include a component located on a smart phone to remotely lock and unlock a computer via a Bluetooth connection. However such systems do not appear to allow a user to select a signal strength of the Bluetooth connection to change the range that the smart phone may lock or unlock the computer.
• Also, it is known to allow a user to automatically lock and unlock a computer using a Bluetooth device such as a mobile phone. The user can configure the proximity distance and duration, and when the Bluetooth device moves away from the computer, the screensaver is triggered and the computer is locked. When the Bluetooth device is in range, the program unlocks the computer, without requiring user input. However, such systems do not require authentication of the Bluetooth device, or transmission of data between the Bluetooth device and the computer for authentication of the Bluetooth device to the computer.
• Accordingly, there exists a need for an improved method and apparatus for using a portable wireless device, such as a smart phone to authenticate a user to a smart card reader emulation device.
BRIEF DESCRIPTION OF THE DRAWINGS
• The embodiments will be more readily understood in view of the following description when accompanied by the below figures and wherein like reference numerals represent like elements, wherein:
• FIG. 1 is a block diagram illustrating an example of a system for remote smart phone authentication according to an embodiment of the present disclosure;
• FIG. 2 is a block diagram illustrating smart card reader emulation device and smart phone radio transceivers according to an embodiment of the present disclosure;
• FIG. 3 is a flowchart illustrating remote authentication from a smart card reader emulation device according to an embodiment of the present disclosure;
• FIG. 4 is a flowchart illustrating remote authentication according to a smart phone according to an embodiment of the present disclosure;
• FIG. 5 is a flowchart illustrating a method of proximity authentication according to an embodiment of the present disclosure; and
• FIG. 6 is an exemplary graphical user interface showing a selectable signal strength according to an embodiment of the present disclosure.
DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENTS
• Briefly, in one example, a method for user authentication is provided. The method includes receiving a selected signal strength for smart card emulation authentication. The method also receiving a signal from a portable wireless device radio transceiver. The method also includes measuring the signal strength of the signal. The method also includes, if the signal is at or above the selected signal strength, transmitting one or more signals to the portable radio device radio transceiver requesting user authentication, and if the signal is not at or above a selected signal strength, refusing a request to authenticate by the portable radio device radio transceiver. The method also includes receiving one or more authentication response signals from the portable radio device in response to the request for user authentication, the one or more response signals including at least authentication information unique to a user.
• In another example, a method for user de-authentication is provided. The method includes receiving a selected signal strength for smart card emulation authentication. The method also includes receiving one or more response signals from the portable wireless device in response to a request for user authentication, the smart card reader emulation device radio transceiver receiving a signal. The method also includes monitoring the strength of the signal, so that if the signal is at or below the selected signal strength, the smart card reader emulation device de-authenticates a portable wireless device associated with the portable wireless device radio transceiver.
• In another example, an apparatus for user authentication is provided, including logic. The logic is operable to receive a selected signal strength for smart card emulation authentication. The logic is also operable to receive a signal from a portable wireless device radio transceiver. The logic is also operable to measure the signal strength of the signal. The logic is also operable to, if the signal is at or above the selected signal strength, transmit one or more signals to the portable radio device radio transceiver requesting user authentication, and if the signal is not at or above a selected signal strength, refuse a request to authenticate by the portable radio device radio transceiver. The logic is also operable to receive one or more authentication response signals from the portable radio device in response to the request for user authentication, the one or more response signals including at least authentication information unique to a user.
• In another example, computer-readable storage medium comprising executable instructions are provided that, when executed by one or more processors, causes the one or more processors to: receive a selected signal strength for smart card emulation authentication, receive a signal from a portable wireless device radio transceiver, measure the signal strength of the signal, if the signal is at or above the selected signal strength, transmit one or more signals to the portable radio device radio transceiver requesting user authentication, and if the signal is not at or above a selected signal strength, refuse a request to authenticate by the portable radio device radio transceiver, and receive one or more authentication response signals from the portable radio device in response to the request for user authentication, the one or more response signals including at least authentication information unique to a user.
• Among other advantages, the present disclosure may allow the use of portable wireless devices or other devices a user carries with one or more processors and memory in place of one or more smart cards. Accordingly, the proposed techniques can improve user control of devices by providing a more intuitive and user-friendly way to use a smart card infrastructure and/or other multi-factor authentication effectively. Additionally, the smart phone's keyboard, touch screen, and other sensors can be used as inputs to the smart card applet. Information about which resources are being authenticated to can be presented to the user on the smart phone's screen, so that the user is aware of what resources are being accessed while the smart phone is connected to the computer. The user could also be given a choice about whether or not to accept such accesses. Also, information stored in the smart card applet can be displayed to the user on the smart phone's screen.
• FIG. 1 illustrates an example of a system for remote portablewireless device101 authentication according to an embodiment of the present disclosure. In this example, a radio smartcard reader driver119 on a smart cardreader emulation device117 sends communications to anapplication123 and/oroperating system125, indicating that a smart card reader is installed although an actual smart card reader is not installed (instead the smart card emulation device is present), and intercepts communications between theapplication software123 or theoperating system125 and the fictional smart card reader. The radio smartcard reader driver119 transmits the communication or communications to the portablewireless device101 via a smart card reader emulationdevice radio transceiver121. The portablewireless device application109 operates on the portablewireless device101 and includes encryption certificates or other authentication information, and transmits the authentication information or other signals to the radio smartcard reader driver119 based on the communication received from theapplication software123 and/or theoperating system125. By intercepting the communication between theapplication software123 and/or theoperating system125, the radio smartcard reader driver119 can replace a smart card with a portablewireless device application109 running on a portablewireless device101, so that a smart card reader is not necessary to utilize functions associated with theapplication123 and/or theoperating system125 that are reserved for smart cards.
• The portablewireless device101 may be a computing system or other hardware that includes logic, such as logic that includes, but is not limited to, one ormore processors105, suitable memory, suitable communication interfaces as known in the art, and one or more input and output devices, such as adisplay139, as known in the art. In an embodiment, the portablewireless device101 includes a portable wirelessdevice radio transceiver103, and the portable wirelessdevice radio transceiver103 may enable communication between the portablewireless device101 and one or more smart cardreader emulation devices117, or a portablewireless device101 and one or more networks. In an embodiment, the portable wirelessdevice radio transceiver103 operates over a short range. In an embodiment, the short range is approximately thirty meters or less. In an embodiment, theportable wireless device101 also includes a radio that allows for long range communication, in the embodiment, more than thirty meters. Theportable wireless device101 may include a telephone portion, including telephone communication circuitry. In an embodiment, theportable wireless device101 includes additional circuitry or other hardware to provide access to one or more networks, such as, for example, the Internet. In an embodiment, theportable wireless device101 includes one ormore processors105 that are operable to execute instructions, retrieve locations in thememory107, and write locations to thememory107. Theprocessor105 may access thememory107 via one or more busses143. In an embodiment, thememory107 includes, but is not limited to, hard disk drives, flash memory, random-access memory, or other data storage and recall devices. Theportable wireless device101 may also be associated with additional elements, such as an operating system, a speaker, a microphone, an antenna, adisplay147, and an input device. The input device may be, for example and without limitation, a keyboard and/or touch screen. Theportable wireless device101 may include more than one input device, or may be capable of input from one or more input devices.
• The portable wirelessdevice radio transceiver103, in this example is a short range transceiver operative to communicate using Bluetooth operations or any suitable operation an may be hardware or a combination of hardware and executing software. The portable wirelessdevice radio transceiver103 may, in an embodiment, also be adapted to communicate with one or more cellular telephone networks (WWAN), to transmit data and/or voice signals. As explained in more detail below, the portable wirelessdevice radio transceiver103 may include one or more modules to communicate over one or more frequencies, or with one or more communication protocols. The portable wirelessdevice radio transceiver103 receives signals from the smart card reader emulationdevice radio transceiver121, and may include communication protocols and/or frequencies that allow the portable wirelessdevice radio transceiver103 to communicate with the smart card reader emulationdevice radio transceiver121. The portable wirelessdevice radio transceiver103 receives one or more signals from the smart card reader emulationdevice radio transceiver121, decodes and/or decrypts the signal to retrieve communications, and transmits the communications to the portablewireless device application109 or other applications operating on theportable wireless device101. The portable wirelessdevice radio transceiver103 also receives communications from the portablewireless device application109 and/or other applications operating on theportable wireless device101, and, in the embodiment, transmits them to smart card reader emulationdevice radio transceiver121. In an embodiment, the portable wirelessdevice radio transceiver103 employs encryption and/or compression algorithms to the communications before transmitting the communications to the smart card reader emulationdevice radio transceiver121.
• The portablewireless device application109 includes one or more instructions stored in memory, and is executable by the processor on theportable wireless device101. The portablewireless device application109, in an embodiment, remains resident in the memory while theportable wireless device101 is operating. The portablewireless device application109 may include one or more modules operable to receive input, generate output, and execute tasks related to the input. The module, in the example, is a processor or a portion of a processor executing instructions to cause the processor to perform one or more functions. The portablewireless device application109 includes at least asmart card applet113, asmart card emulator111, and data storage. The portablewireless device application109 may also include other modules that allow communication between the portablewireless device application109 and other applications resident in the memory of theportable wireless device101. In an embodiment, the portablewireless device application109data store115 is associated with the operating system of theportable wireless device101, so that the portablewireless device application109 accesses thedata store115 that is associated with theportable wireless device101, instead of having aseparate data store115. The portablewireless device application109 may access adata store115 associated with theportable wireless device101 by using one or more instructions provided by the operating system operating on theportable wireless device101. Inputs to the portablewireless device application109 may be received from the smart cardreader emulation device117, or inputs to the portablewireless device application109 may be generated by theportable wireless device101. Additional inputs associated with the smart cardreader emulation device117 or theportable wireless device101 may also be used such as, for example and without limitation, biometric input devices such as fingerprint readers or cameras.
• Thesmart card emulator111 is associated with the portablewireless device application109, and interacts with theradio transceiver103, or other applications executing in the memory of theportable wireless device101. Thesmart card emulator111 receives input from the radio transceiver or other applications executing in the memory of theportable wireless device101, and requests information of thedata store115 and/or thesmart card applet113 in response to the input. And input may be, for example, a request for one or more certificates stored in thedata store115, a PIN authentication, a request for a digital signature, a request for a decryption operation, or other activities associated with a smart card. The information retrieved from thesmart card applet113 and/or thedata store115 is transmitted to theradio transceiver103, or the requesting application resident in the memory of theportable wireless device101. Thesmart card emulator111 provides a library of functions that are normally available from a smart card, so that thesmart card emulator111 can receive communication normally transmitted to a smart card, and can generate responses that would normally be transmitted by the smart card. In the embodiment, the smart card emulator communicates with thesmart card applet113 vialine151, and with the data store vialine115. Thesmart card emulator111 may optionally also communicate with a selectablesignal strength generator155 vialine153.
• Thesmart card applet113 includes software executing in memory associated with theportable wireless device101, and executes requests for authentication. Thesmart card applet113 may, in an embodiment, create public/private key pairs, and store the public key and/or private key in memory. In an embodiment, thesmart card applet113 includes public key/private key pairs, and provides for the secure storage of the keys. In an embodiment, thesmart card applet113 may include key history. In an embodiment, thesmart card applet113 may include certificates for each key pair, and may store the certificates. In an embodiment, thesmart card applet113 may include and/or store digitally signed facial recognition data points associated with a user. In embodiment, thesmart card applet113 may include and/or store digitally signed fingerprint data points associated with a user. In an embodiment, thesmart card applet113 may include additional data structures to store and/or retrieve authentication information related to user. In an embodiment, the authentication information related to the user may be digitally signed and or verified. Other information stored or accessed by thesmart card applet113 include personal identification numbers (PINs) or passwords, along with associated lockout counters which limit the number of invalid guesses an attacker may make.
• Thedata store115 may include the state of thesmart card applet113. State information may also include, but is not limited to keys, certificates, fingerprints, PINs and lockout counters, or other information. The state information associated with thedata store115 may be, in an embodiment, a snapshot of the data stored in it at a given moment in time. In an embodiment, thedata store115 may include images or keys or data structures that are associated with thesmart card applet113, and that thesmart card applet113 may use to authenticate a user to a smart cardreader emulation device117. Thedata store115 may, in an embodiment, be one or more data structures stored in the memory associated with theportable wireless device101, and available to the portablewireless device application109. In an embodiment, the contents of thedata store115 may be modified by the portablewireless device application109. In an embodiment, thedata store115 may be encrypted, and the encryption keys may be held by the portablewireless device application109 and/or another application executing in the memory of theportable wireless device101.
• The selectablesignal strength generator155 may include optional functionality, and may allow a selection of the signal strength to be made from theportable wireless device101. In an embodiment, the selectablesignal strength generator155 includes one or more graphical user interfaces to allow a user or administrator to select one or more signal strengths. For example, the selectablesignal strength generator155 may allow a user to select a signal strength based on the user's proximity to a smart cardreader emulation device117, so that the user may be positioned relative to the smart cardreader emulation device117 where the user would like an action to occur, and may use the selectablesignal strength generator155 to set the signal strength based on the user's proximity to theradio transceiver121 of the smart cardreader emulation device117. The selectablesignal strength generator155 communicates the selection of signal strength to thesmart card emulator111 vialine153, and may receive communication from thesmart card emulator111 vialine153. In an embodiment, the graphical user interface may include the functionality shown inFIG. 6.
• InFIG. 6, agraphical user interface601 is shown. Thegraphical user interface601 includes, but is not limited to, adisplay603 that shows the current signal strength. In the embodiment, the current signal strength is shown as 15 dB. The user may select aslider609, to move the selected signal strength between a minimum605, which, in the embodiment, may turn off the connection, and a maximum607, which may indicate the maximum range of theradio connection link141. The user may select the appropriate signal strength, and may save the selection using the “set signal strength”button611. The graphical user interface is generated and presented by theprocessor105 on the screen for use by a user. In an embodiment, the selectable signal strength based smartcard emulation authenticator133 operate a graphical user interface similar tographical user interface601. The selectable signal strength based smartcard emulation authenticator133 may operate thegraphical user interface601, where thegraphical user interface601 is resident in thememory135, and is executed by theprocessor157. In an embodiment, thegraphical user interface601 may include additional functionality, such as the ability for a user to select the signal strength based on the current signal strength.
• The smart cardreader emulation device117 may be, for example and without limitation, a an executing software module executing by logic, such as logic that includes one ormore processors157 andsuitable memory135, discrete logic, an ASIC or any suitable structure. The smart cardreader emulation device117 may include a radio transceiver121 (eg. a short range transceiver), which complements the portable wirelessdevice radio transceiver103, so that the smart card reader emulationdevice radio transceiver121 may communicate with the portable wirelessdevice radio transceiver103. The smart cardreader emulation device117 also includes a radio smartcard reader driver119,application software123, and one or more operating systems. The radio smartcard reader driver119,application software123, and one or more operating systems may reside in memory associated with the smart cardreader emulation device117. Thememory135 may, in an embodiment, be nonvolatile. In an embodiment, the radio smartcard reader driver119,application software123, and one or more operating systems are associated with logic operating on the smart cardreader emulation device117. In an embodiment, the logic includes one ormore processors105, operable to execute instructions residing inmemory135. In an embodiment, thememory135 includes, but is not limited to, hard disk drives, flash memory, random-access memory, or other data storage and recall devices. Theprocessor157 communicates with thememory135 via one or more busses137. The smart cardreader emulation device117 may also be associated with additional elements, such as, for example, adisplay147, and an input device. The input device may be, for example and without limitation, a keyboard and/or touch screen. The smart cardreader emulation device117 may include more than one input device, or may be capable of input from one or more input devices.
• Theapplication software123 may include one or more applications executed by the operating system. Theapplication software123 includes, in an embodiment, software that requires the authentication of a user. For example,application software123 may require user authentication to digitally sign a document, access information stored on the memory associated with the smart cardreader emulation device117, or another smart cardreader emulation device117 associated with the smart cardreader emulation device117 via one or more networks, or add, edit, or delete data. In an embodiment, theapplication software123 requests user authentication through one or more commands provided by the operating system. In another embodiment, theapplication software123 requests user authentication directly from theportable wireless device101 via the radio smartcard reader driver119. The application software sends commands, in an embodiment, to theoperating system125 and/or other applications in thememory135, which are received by the radio smartcard reader driver119. Theapplication software123 may also receive signals from the radio smartcard reader driver119. The communication between theapplication software123 and the radio smartcard reader driver119 is shown inline127.
• Theoperating system125 includes the operating system currently executing in the memory of the smart cardreader emulation device117. Theoperating system125 may include one or more drivers to receive input from input devices associated with the smart cardreader emulation device117, and generate output to output devices associated with the smart cardreader emulation device117. Input devices may include, but are not limited to, keyboards, smart cardreader emulation device117 mice, or one or more network interface cards, that receive input signals from one or more networks, and generate output signals to the one or more networks. Output devices may include, but are not limited to,displays139, one or more network interface cards, printers, or other devices associated and in communication with the smart cardreader emulation device117. Theoperating system125 may include one or more commands to allowapplication software123 to receive input from devices associated with the smart cardreader emulation device117, and generate output to the devices associated with the smart cardreader emulation device117. In an embodiment, the commands include one or more commands designated as application programming interface commands. Application programming interface commands may be commands that allow applications to communicate with the operating system. Theoperation system125 transmits signals to the radio smartcard reader driver119, and receives signals from the radio smartcard reader driver119, as indicated inline129.
• In an embodiment, theoperating system125 includes one or more commands for a user to authenticate to theoperating system125, in order to gain access to commands provided by theoperating system125. Commands may allow a user to, for example, interact with the operating system, interact with one or more applications associated with the operating system, or access data or execute programs through the operating system. Theoperating system125 may include, for example, commands to interact with a smart card reader, and query a smart card for data that authorizes the user to the smart cardreader emulation device117. In an embodiment, the operating system requires authentication to allow user to log on to the operating system.
• The selectable signal strength based smartcard emulation authenticator133 allows a selection of the signal strength to be made. In an embodiment, the selectable signal strength based smartcard emulation authenticator133 includes one or more graphical user interfaces to allow a user or administrator to select one or more signal strengths. For example, the graphical user interface may allow a user to select signal strengths based on an individualportable wireless device101, so that differentportable wireless devices101 have different signal strength requirements. In another embodiment, the signal strengths may be selected based on one or more security models or other security parameters. In an embodiment, signal strength selections are made via one or more application programming interfaces to the selectable signal strength based smartcard emulation authenticator133. The selectable signal strength based smartcard emulation authenticator133 communicates the selection of signal strength to the radio smartcard reader driver119, and receives information from the radio smartcard reader driver119, as shown inline131.
• The radio smartcard reader driver119 includes executing software and/or hardware associated with the smart cardreader emulation device117 to replace a smart card reader. The radio smartcard reader driver119 includes software and/or instructions operating on the smart cardreader emulation device117 that intercept authentication requests between theapplication software123 and/or theoperating system125, and a smart card reader. For example, theapplication software123 may attempt to send an authentication request to a smart card reader. The radio smartcard reader driver119 intercepts the authentication request, so that the smart cardreader emulation device117 does not need to operate a smart card reader. The radio smartcard reader driver119 receives authentication requests from theapplication software123 and or theoperating system125, and translates the authentication request into a format that is readable and answerable by the portablewireless device application109 executing on theportable wireless device101. The radio smartcard reader driver119 communicates with the smart card reader emulationdevice radio transceiver121 to send commands via the radio transceiver to theportable wireless device101. The radio smartcard reader driver119 also receives communication from the smart card reader emulationdevice radio transceiver121, and translates the communication into responses to the authentication requests from theapplication software123 and/or theoperating system125. The authentication requests may include, for example, a request for authentication for digital signing, or requests for authentication of a user. The radio smartcard reader driver119 functions as a replacement for a smart card reader on the smart cardreader emulation device117, and appears as a smart card reader to theapplication software123 and/or theoperating system125.
• Thelink141 between the smart card reader emulationdevice radio transceiver121 and the portable wirelessdevice radio transceiver103 includes, but is not limited to, signals transmitted from the smart card reader emulationdevice radio transceiver121 to the portable wirelessdevice radio transceiver103, or from the portable wirelessdevice radio transceiver103 to the smart card reader emulationdevice radio transceiver121. The signals may include signals required by a protocol over which both transceivers operate, to maintain a link between the two transceivers, which may also include one or more control signals. The signals may also include signals to transmit data between the two transceivers, which may also be known as data signals. Either of the control signals and the data signals may include additional information. For example, and without limitation, signals transmitted by the portable wirelessdevice radio transceiver103 to the smart card reader emulationdevice radio transceiver121 may be received by the smart card reader emulationdevice radio transceiver121, which may also receive signal strength information, or other information regarding the strength and/or quality of thelink141 between the two transceivers. In an embodiment, the data signals include authentication request signals and/or authentication response signals so that the portable wirelessdevice radio transceiver103 to the smart card reader emulationdevice radio transceiver121 may authenticate to one another.
• The smart card reader emulationdevice radio transceiver121 may include one or more modules to communicate over one or more frequencies, or with one or more communication protocols, such as Bluetooth transceiver. The smart card reader emulationdevice radio transceiver121 receives signals from the portable wirelessdevice radio transceiver103, and may include communication protocols and/or frequencies that allow the smart card reader emulationdevice radio transceiver121 to communicate with the portable wirelessdevice radio transceiver103. The smart card reader emulationdevice radio transceiver121 receives one or more signals from the portable wirelessdevice radio transceiver103, decodes and/or decrypts the signal to retrieve communications, and transmits the communications to the radio smartcard reader driver119. The smart card reader emulationdevice radio transceiver121 also receives communications from the radio smartcard reader driver119, and, in the embodiment, transmits them to the portable wirelessdevice radio transceiver103. In an embodiment, the smart card reader emulationdevice radio transceiver121 employs encryption and/or compression algorithms to the communications before transmitting them to the portable wirelessdevice radio transceiver103.
• In an embodiment, the smart card reader emulationdevice radio transceiver121 may also receive information associated with the portable wirelessdevice radio transceiver103. The information may include, but is not limited to, strength of the radio signal from theportable wireless device101. The strength of the radio signal from theportable wireless device101 may indicate the approximate location of theportable wireless device101 relative to the smart card reader emulationdevice radio transceiver121. For example, a weak radio signal from the portable wirelessdevice radio transceiver103 may indicate that theportable wireless device101 is at a comparatively larger distance from the smart card reader emulationdevice radio transceiver121 than if the radio signal was stronger.
• In an embodiment, theapplication software123, theoperating system125, the radio smartcard reader driver119, thesmart card applet113, thesmart card emulator111, and thedata store115 described herein may be implemented as software programs stored on a smart cardreader emulation device117 readable storage medium such as but not limited to CD-ROM, RAM, ROM, other forms of ROM, hard drives, distributed memory, etc., in combination with processors. As such, software programs may be stored on smart cardreader emulation device117 readable storage medium. The smart cardreader emulation device117 readable storage medium stores instructions executable by one or more processors that causes the one or more processors to perform operations described herein. In the embodiment shown inFIG. 1, theapplication software123, theoperating system125, and the radio smartcard reader driver119 are stored in smart cardreader emulation device117 readable storage medium and are associated with each other, and thesmart card applet113, thesmart card emulator111, and thedata store115 are stored in smart cardreader emulation device117 readable medium and are associated with each other.
• FIG. 2 is a block diagram illustrating smart card reader emulation device and portable wireless device radio transceivers according to an embodiment of the present disclosure. In the embodiment, the smart card reader emulationdevice radio transceiver121 includesfirst radio transceiver203 and asecond radio transceiver205. Thefirst radio transceiver203 includes transmission and receiving structures that allow the smart card reader emulationdevice radio transceiver121 to communicate with theportable wireless device101 via a first protocol and/or a first frequency. Thesecond radio transceiver205 includes transmission and receiving structures that allow the smart card reader emulationdevice radio transceiver121 to communicate with theportable wireless device101 via a second protocol and/or a second frequency. Similarly, the portable wirelessdevice radio transceiver103 includes afirst radio transceiver207 and asecond radio transceiver209 that complement thefirst radio transceiver203 and thesecond radio transceiver205 in the smart card reader emulationdevice radio transceiver121, respectively. The smart card reader emulationdevice radio transceiver121 and the portable wirelessdevice radio transceiver103 may include, for example, additional hardware or combination of hardware and executing software that allows communication between the two radio transceivers over different frequencies and/or different communication protocols. In an embodiment, the first radio transceiver and the second radio transceiver of either the smart cardreader emulation device117 or theportable wireless device101, or both, are implemented using software executing on one or more processors, and share common hardware structures. For example, the first radio transceiver and the second radio transceiver may share a common antenna, or a common receiver, but the frequencies associated with the first radio transceiver and the second radio transceiver may be different, and may be interpreted differently using the software. For example, communications received by a first frequency may be interpreted using a first protocol, and communications received by a second frequency may be interpreted using a second protocol. In an embodiment, the first and second radio transceivers are separate structures. In the embodiment, the first and second radio transceivers may not share components, may communicate directly with processors or memory, and may operate independently of one another.
• FIG. 3 is a flowchart illustrating remote authentication from a smart cardreader emulation device117 according to an embodiment of the present disclosure. The method begins atblock301. Atblock303, the smart card reader emulationdevice radio transceiver121 is set to a discoverable mode. The discoverable mode, in an embodiment, allows the smart card reader emulationdevice radio transceiver121 to search for devices that it may connect to and communicate with. In an embodiment, the radio smartcard reader driver119 sets the smart card reader emulationdevice radio transceiver121 into a discoverable mode. In an embodiment, theoperating system125 or other executable program sets the smart card reader emulationdevice radio transceiver121 into a discoverable mode.
• Inblock305, the smart cardreader emulation device117 polls all of the devices that the smart card reader emulationdevice radio transceiver121 may communicate with. If aportable wireless device101 or other device with a comparable radio transceiver is found, the smart card reader emulationdevice radio transceiver121 attempts to determine if the smart card reader emulationdevice radio transceiver121 may connect with the radio transceiver associated with the device. If the smart card reader emulationdevice radio transceiver121 may not connect with the radio transceiver associated with the device, the smart cardreader emulation device117 attempts to connect with other devices in the vicinity, as shown inblock307. If the smart card reader emulationdevice radio transceiver121 may connect to the radio transceiver associated with the device, the smart card reader emulationdevice radio transceiver121 checks to see if the device will accept the connection. If the device will not accept the connection, the smart cardreader emulation device117 will move to the next device, as shown inblock307. If the device will accept the connection, the smart cardreader emulation device117 will attempt to create a successful connection with the device, as shown inblock309. In an embodiment, theportable wireless device101 initiates a connection to the smart cardreader emulation device117. The portable wireless device may initiate the connection by transmitting one or more signals to the smart cardreader emulation device117.
• Inblock311, the smart card reader emulationdevice radio transceiver121 may send one or more signals to the portable wirelessdevice radio transceiver103. The portablewireless device application109 operating on theportable wireless device101 may receive the one or more signals, and may generate one or more signals for transmission from the portable wirelessdevice radio transceiver103 to the smart card reader emulationdevice radio transceiver121. The smart card reader emulationdevice radio transceiver121 receives the one or more signals, and transmits them to the radio smartcard reader driver119. Based on the signals received from the portablewireless device application109, the radio smartcard reader driver119 recognizes that the portablewireless device application109 is operating on theportable wireless device101. The radio smartcard reader driver119 may, in an embodiment, send one or more signals to theoperating system125 that a smart card has been inserted. The radio smartcard reader driver119, by sending these signals to theoperating system125, communicates to theoperating system125 that a smart card has been inserted into a smart card reader, when, in fact, there may not be a smart card reader associated with the smart cardreader emulation device117.
• Inblock313, theoperating system125 may attempt to send an authentication request to the smart card. In another embodiment, the operating system in theoperating system125 may wait for one or more applications in theapplication software123 to send an authentication request to the smart card. While theoperating system125 is waiting, theportable wireless device101 may move out of range of the smart card reader emulationdevice radio transceiver121, in a connection end event. In a connection end event, indicated inblock315, the smart card reader emulationdevice radio transceiver121 signals to the radio smartcard reader driver119 that aportable wireless device101 or other device that was once connected to the smart card reader emulationdevice radio transceiver121, is no longer found. The radio smartcard reader driver119 receives the signals from the smart card reader emulationdevice radio transceiver121, and sends signals to theoperating system125 and/or theapplication software123 that a smart card has been removed from the smart card reader.
• Inblock317, theoperating system125 and/or theapplication software123 sends one or more commands to the radio smartcard reader driver119 requesting access to the smart card. The request may be, for example and without limitation, a request to access data located on the smart card, or one or more authentication requests based on information associated with the smart card.
• The radio smartcard reader driver119 receives the commands from theapplication123 and/or theoperating system125, and sends the commands to the portablewireless device application109 via the smart card reader emulationdevice radio transceiver121, as shown inblock319. The smart card reader emulationdevice radio transceiver121 receives the command, and transmits the commands to the portable wirelessdevice radio transceiver103. The transmission may occur via one or more communication protocols known by both the smart card reader emulationdevice radio transceiver121 and the portable wirelessdevice radio transceiver103. In an embodiment, the commands are encrypted by the smart card reader emulationdevice radio transceiver121. In an embodiment, the commands are compressed by the smart card reader emulationdevice radio transceiver121 before transmission to the portable wirelessdevice radio transceiver103.
• The smart card reader emulationdevice radio transceiver121 receives one or more response signals from the portable wirelessdevice radio transceiver103, as shown inblock321. In an embodiment, the smart card reader emulationdevice radio transceiver121 decrypts the signals received from the portable wirelessdevice radio transceiver103. In an embodiment, the smart card reader emulationdevice radio transceiver121 decompresses the signals received from the portable wirelessdevice radio transceiver103. The smart card reader emulationdevice radio transceiver121 sends the response to the radio smartcard reader driver119.
• Inblock323, the radio smartcard reader driver119 transmits the response to the requesting software. In an embodiment, the radio smartcard reader driver119 transmits the response to theoperating system125. In an embodiment, the radio smartcard reader driver119 transmits the response to one or more applications operating in theapplication software123. The radio smartcard reader driver119 formats the response so that it appears to theapplication software123 and/or theoperating system125 to be a response from a smart card reader and smart card.
• Inblock325, theoperating system125 or theapplication software123 performs one or more actions based on the response received from the radio smartcard reader driver119. In an embodiment, theoperating system125 receives the response from the radio smartcard reader driver119, and, based on the response, authenticates the user, or does not authenticate the user. In an embodiment, an application executing in theapplication software123 receives the response from the radio smartcard reader driver119, and executes one or more commands based on the response.
• Inblock327, the radio smartcard reader driver119 continues to monitor theapplication software123 and theoperating system125 for requests for access to the smart card, and continues to monitor the smart card reader emulationdevice radio transceiver121 for signals received from theportable wireless device101. The method may return to block313, and continue to monitor until a connection end event is received or another request is received from theapplication software123 or theoperating system125.
• FIG. 4 is a flowchart illustrating remote authentication according to aportable wireless device101 according to an embodiment of the present disclosure. The method may begin atblock401. The method presumes that aportable wireless device101 is operating, that the portablewireless device application109 is operating on theportable wireless device101, and that the portable wirelessdevice radio transceiver103 is operable.
• Inblock403, the portable wirelessdevice radio transceiver103 receives a radio connection request from the smart card reader emulationdevice radio transceiver121. In an embodiment, the radio connection request includes a connection request identified by the Bluetooth protocol. The connection request may be encrypted, or may include additional information regarding the smart card reader emulationdevice radio transceiver121, the smart cardreader emulation device117, and/or the radio smartcard reader driver119.
• Inblock405, if theportable wireless device101 identifies the smart card reader emulationdevice radio transceiver121, the smart cardreader emulation device117, and/or the radio smartcard reader driver119, theportable wireless device101 may create a connection with the smart cardreader emulation device117. In an embodiment, the connection may be made via Bluetooth protocol. In an embodiment, other radio communication protocols may be used. In an embodiment, the radio communication protocols may require one or more codes or additional information to be input by the user via theportable wireless device101, by the user and/or theoperating system125 on the smart cardreader emulation device117, or a combination of the two.
• Inblock407, data from thedata store115 associated with the portablewireless device application109 is loaded into memory associated with the portablewireless device application109. In an embodiment, the memory may be associated with theportable wireless device101. In an embodiment, the memory may not be associated with aportable wireless device101, but may be separate from theportable wireless device101 memory. The data from thedata store115 may include, but is not limited to, one or more public and/or private keys that uniquely identify a user, one or more pieces of biometric data that uniquely identify a user, one or more certificates, or other data associated with the user, or that may be used to uniquely identify a user. In an embodiment, the data from thedata store115 may be encrypted in thedata store115, and may be decrypted prior to storage in the memory. In an embodiment, PINS, passwords, and/or lockout counters may also be stored in thedata store115.
• Inblock409, the portablewireless device application109 waits for commands from the smart card reader emulationdevice radio transceiver121. The commands may be, but are not limited to, authentication requests from theapplication software123 and/or theoperating system125, that are intercepted by the radio smartcard reader driver119. While the portablewireless device applications109 waits for commands from the smart card reader emulationdevice radio transceiver121, theportable wireless device101 may move out of range of the smart card reader emulationdevice radio transceiver121. In the connection end event, shown inblock411, the radio transceiver from theportable wireless device101 cannot communicate with the smart card reader emulationdevice radio transceiver121, and the portablewireless device application109 stores updated or new state information from the smart card application to thedata store115. The updated or new state information may include, but is not limited to, information modified since the connection was created inblock405, such as new or updated key pairs, PIN or password lockout counter updates, updated certificates, or other changed or new information that has been generated. The state information may be encrypted before storage in thedata store115. If a connection end event is indicated, the method may return to block403, where theportable wireless device101 may wait for radio connection requests from the smart cardreader emulation device117, or from another smart cardreader emulation device117.
• Inblock413, the portablewireless device application109 receives one or more commands from the portable wirelessdevice radio transceiver103. The one or more commands may be, but are not limited to, authentication requests from theapplication software123 and/or theoperating system125 via the radio smartcard reader driver119. The portablewireless device application109 receives the command or commands via the portable wirelessdevice radio transceiver103. The portablewireless device application109 receives the one or more commands, and transmits the one or more commands to thesmart card applet113.
• Inblock415, thesmart card emulator111 translates the commands received from the portable wirelessdevice radio transceiver103 into one or more commands that thesmart card applet113 may receive and process. Thesmart card emulator111 transmits the one or more commands to thesmart card applet113.
• Inblock417, thesmart card applet113 receives the one or more commands from thesmart card emulator111, and accesses thedata store115 or other memory associated with the portablewireless device application109, to retrieve information in order to formulate a response to the one or more commands. Thesmart card applet113 may, for example, retrieve one or more certificates from thedata store115 and/or the memory associated with theportable wireless device101 in response to the one or more commands. In an embodiment, thesmart card applet113 may retrieve biometric identification information from thedata store115 and/or the memory associated with theportable wireless device101 in response to the one or more commands. In an embodiment, thesmart card applet113 may retrieve additional information from thedata store115 and/or the memory associated with theportable wireless device101 in response to the one or more commands. In an embodiment, thesmart card applet113 may perform one or more transformations on the data received from thedata store115 and/or the memory associated with theportable wireless device101. For example, and without limitation, thesmart card applet113 may retrieve a public key and/or a private key from thedata store115 and/or memory associated with theportable wireless device101, and may apply the key to the one or more commands received from thesmart card emulator111. Thesmart card applet113 transmits the information retrieved to thesmart card emulator111. In an embodiment, thesmart card applet113 may also compare a supplied PIN or password with the correct value, may compare the user's supplied fingerprint data with that stored, may store a supplied certificate or key for later use, or may generate a new key pair in accordance with the parameters supplied.
• Inblock419, thesmart card emulator111 transmits the response from thesmart card applet113 to the portable wirelessdevice radio transceiver103. The portable wirelessdevice radio transceiver103 may transmit the response to the smart card reader emulationdevice radio transceiver121 via one or more radio communication protocols. In an embodiment, the response, or other information associated with the response, may be encrypted and or compressed before transmission to the smart card reader emulationdevice radio transceiver121. After thesmart card emulator111 in the portable wirelessdevice radio transceiver103 has transmitted the response to the smart card reader emulationdevice radio transceiver121, the method may return to block409, where theportable wireless device101 may wait for additional commands to be received from a requesting software via the smart card reader emulationdevice radio transceiver121.
• FIG. 5 is a flowchart illustrating a method of proximity authentication according to an embodiment of the present disclosure. The method may begin atblock501. The method presumes that the smart card reader emulationdevice radio transceiver121 is active and is able to connect with the portable wirelessdevice radio transceiver103. The method also presumes that the portable wirelessdevice radio transceiver103 is active and able to pair with the smart card reader emulationdevice radio transceiver121.
• Inblock503, theportable wireless device101 enters a range of the smart card reader emulationdevice radio transceiver121, so that the strength of the portable wirelessdevice radio transceiver103 is at or above a set level. The smart card reader emulationdevice radio transceiver121 measures the signal strength from theportable wireless device101. The level, in an embodiment, may be set by the user. In another embodiment, the level is set by the radio smartcard reader driver119 and/or the smart card reader emulationdevice radio transceiver121. In an embodiment, the level may be set so that any contact which enables the smart card reader emulationdevice radio transceiver121 to make and maintain a radio connection to the portable wirelessdevice radio transceiver103 may be sufficient. In another embodiment, the level may be set so that more substantial signal strength is required to enable a connection, and so a connection may be refused by the smart card reader emulationdevice radio transceiver121 even though a sufficient radio connection may be made. For example, and without limitation, if the level is set so that the smart card reader emulationdevice radio transceiver121 refuses connections unless the signal strength indicates the portable wirelessdevice radio transceiver103 is no more than 5 feet away, a radio connection may be refused if the signal strength indicates that the portable wirelessdevice radio transceiver103 is 10 feet away from the smart card reader emulationdevice radio transceiver121. The connection may be refused even if the smart card reader emulationdevice radio transceiver121 and the portable wirelessdevice radio transceiver103 can make a connection at 10 feet or more. The level may be set by a user, or may be set according to a security policy and/or other commands from a policy server or other system.
• In an embodiment, instead of the signal strength being selected and used to set a level, the transmit power of theradio transceiver121 or theradio transceiver103 is changed, so that the level indicates the range at which a connection may be made. For example, the smart cardreader emulation device117 may transmit commands to theremote wireless device101 for theremote wireless device101 to set itsradio transceiver103 at a certain level, according to the user's request or one or more security policies. Theremote wireless device101 may set the transmit power of theradio transceiver103 to the level specified by the smart cardreader emulation device117, so that when theradio transceiver103 and theradio transceiver121 are in range to create a connection, the transceivers are also within range of the level set by the user or the one or more security policies.
• Inblock505, if theportable wireless device101 is within range of the smart card reader emulationdevice radio transceiver121, and is also within the limit, the smart card reader emulationdevice radio transceiver121 will form a radio connection with theradio transceiver103 associated with theportable wireless device101.
• Inblock507 theoperating system125, theapplication software123, and/or the radio smartcard reader driver119 may request an authentication from the portablewireless device application109. In an embodiment, theoperating system125, theapplication software123, and/or the radio smartcard reader driver119 may request one or more certificates from the portablewireless device application109. In an embodiment, the smart cardreader emulation device117 may send one or more challenge requests to theportable wireless device101. The challenge requests may include, for example, data to encrypt with one or more keys, for example by an asymmetric key pair, where one of the keys is resident on the smart cardreader emulation device117, and the other complimentary key is resident on theportable wireless device101. In an embodiment, a username and/or password may be requested from theportable wireless device101. In an embodiment, theportable wireless device101 may be challenged to sign a random value using one or more keys available to the portablewireless device application109.
• Inblock509, the portable wirelessdevice radio transceiver103 receives the authentication request, and transmits the authentication request to the portablewireless device application109. The portablewireless device application109 receives the authentication request, and transmits the authentication request to thesmart card emulator111. Thesmart card emulator111 receives the authentication request, and transmits the authentication request to thesmart card applet113. Thesmart card emulator111 may translate the authentication request so that it is readable by thesmart card applet113. Thesmart card applet113 receives the authentication request from thesmart card emulator111, and accesses thedata store115 and/or the memory associated with theportable wireless device101 to create a response to the authentication request. The response may include, but is not limited to, public and/or private keys, certificates, or unique biometric information associated with the user. Thesmart card applet113 transmits the response to thesmart card emulator111. Thesmart card emulator111 receives the response from thesmart card applet113, and transmits the response via the portable wirelessdevice radio transceiver103 to the smart card reader emulationdevice radio transceiver121. The smart card reader emulationdevice radio transceiver121 receives the response, and transmits the response to the radio smartcard reader driver119. The radio smartcard reader driver119 receives the response, and transmits the response to theapplication software123 and/or theoperating system125. Theapplication software123 and/or theoperating system125 receives the response, and performs one or more actions based on the response. The actions may include, but are not limited to, authorizing a user to operate the smart cardreader emulation device117, or perform one or more tasks with the authority of the user.
• Inblock511, the smart card reader emulationdevice radio transceiver121 continues to monitor the signal strength of the portable wirelessdevice radio transceiver103. Inblock513, if the signal strength from the portable wirelessdevice radio transceiver103 is at or above the limit specified, the method returns to block511 to continue to monitor the signal strength. If the signal strength from the portable wirelessdevice radio transceiver103 is below the limit specified, the method proceeds to block515, and the smart cardreader emulation device117 de-authorizes the user from using the smart cardreader emulation device117. The de-authorization may include, but is not limited to, logging the user off of the smart cardreader emulation device117, locking the smart cardreader emulation device117 to prevent access, or other actions by theoperating system125 and/or theapplication software123 to prevent the user from unauthorized access to the smart cardreader emulation device117. The user may also be deauthorized if cached PIN and/or password values are erased from theportable wireless device101 and/or the smart cardreader emulation device117, so that they must be re-entered the next time an authentication request is received. If theportable wireless device101, and the portable wirelessdevice radio transceiver103, moved again to within the proximity limit, the method may begin again atblock505. In an embodiment, the smart cardreader emulation device117 does not de-authorize the user and/or remove the certificate, so if the portable wirelessdevice radio transceiver103 moves again to within the proximity limit, the smart cardreader emulation device117 may reauthorize the user to access the smart cardreader emulation device117, and may continue atblock511.
• Among other advantages, the present disclosure may allow the use of portable wireless devices or other devices a user carries with one or more processors and memory in place of one or more smart cards. Accordingly, the proposed techniques can improve user control of devices by providing a more intuitive and user-friendly way to use a smart card infrastructure and/or other multi-factor authentication effectively. Additionally, the smart phone's keyboard, touch screen, and other sensors can be used as inputs to the smart card applet. Information about which resources are being authenticated to can be presented to the user on the smart phone's screen, so that the user is aware of what resources are being accessed while the smart phone is connected to the computer. The user could also be given a choice about whether or not to accept such accesses. Also, information stored in the smart card applet can be displayed to the user on the smart phone's screen. Other advantages will be recognized by those of ordinary skill in the art.
• The above detailed description of the invention and the examples described therein have been presented for the purposes of illustration and description only and not by limitation. It is therefore contemplated that the present invention cover any and all modifications, variations or equivalents that fall within the spirit and scope of the basic underlying principles disclosed above and claimed herein.

Claims (17)

What is claimed is:

1. A method for user authentication, comprising:

receiving a selected signal strength for smart card emulation authentication;

receiving a signal from a portable wireless device radio transceiver;

measuring the signal strength of the signal;

if the signal is at or above the selected signal strength, transmitting one or more signals to the portable radio device radio transceiver requesting user authentication, and if the signal is not at or above a selected signal strength, refusing a request to authenticate by the portable radio device radio transceiver; and

receiving one or more authentication response signals from the portable radio device in response to the request for user authentication, the one or more response signals including at least authentication information unique to a user.

2. The method ofclaim 1, further comprising presenting a user interface containing data representing a selectable proximity range for smart card emulation authentication.

3. The method ofclaim 1, wherein the one or more signals includes a request for a security certificate.

4. The method ofclaim 1, wherein the one or more response signals includes a security certificate.

5. The method ofclaim 1, wherein the one or more response signals includes a coded response to a challenge issued by the smart card reader emulation device, wherein the coded response is based at least in part on the challenge and one or more encryption keys.

6. A method for user de-authentication, comprising:

receiving a selected signal strength for smart card emulation authentication;

receiving one or more response signals from the portable wireless device in response to a request for user authentication, the smart card reader emulation device radio transceiver receiving a signal; and

monitoring the strength of the signal, so that if the signal is at or below the selected signal strength, the smart card reader emulation device de-authenticates a portable wireless device associated with the portable wireless device radio transceiver.

7. The method ofclaim 6, further comprising presenting a user interface containing data representing a selectable proximity range for smart card emulation authentication.

8. The method ofclaim 6, wherein the threshold signal strength is set by a user.

9. The method ofclaim 6, wherein the threshold signal strength is set by one or more security policies.

10. The method ofclaim 6, wherein the smart card reader emulation device de-authenticates the portable wireless device by erasing one or more password values from memory associated with the smart card reader emulation device.

11. The method ofclaim 6, wherein the smart card reader emulation device de-authenticates the smart phone by locking an operating system associated with the smart card reader emulation device.

12. An apparatus for user authentication comprising:

logic operable to:

receive a selected signal strength for smart card emulation authentication;

receive a signal from a portable wireless device radio transceiver;

measure the signal strength of the signal;

if the signal is at or above the selected signal strength, transmit one or more signals to the portable radio device radio transceiver requesting user authentication, and if the signal is not at or above a selected signal strength, refuse a request to authenticate by the portable radio device radio transceiver; and

receive one or more authentication response signals from the portable radio device in response to the request for user authentication, the one or more response signals including at least authentication information unique to a user.

13. The apparatus ofclaim 12, further comprising presenting a user interface containing data representing a selectable proximity range for smart card emulation authentication.

14. The apparatus ofclaim 12, wherein the one or more signals includes a request for a security certificate.

15. The apparatus ofclaim 12, wherein the one or more response signals includes a security certificate.

16. The apparatus ofclaim 12, wherein the one or more response signals includes a coded response to a challenge issued by the smart card reader emulation device, wherein the coded response is based at least in part on the challenge and one or more encryption keys.

17. A computer-readable storage medium comprising executable instructions that when executed by one or more processors causes the one or more processors to:

receive a selected signal strength for smart card emulation authentication;

receive a signal from a portable wireless device radio transceiver;

measure the signal strength of the signal;

if the signal is at or above the selected signal strength, transmit one or more signals to the portable radio device radio transceiver requesting user authentication, and if the signal is not at or above a selected signal strength, refuse a request to authenticate by the portable radio device radio transceiver; and

receive one or more authentication response signals from the portable radio device in response to the request for user authentication, the one or more response signals including at least authentication information unique to a user.

Images